CPE Residential IPv6 Security Poll

Sander Steffann sander at steffann.nl
Tue Sep 27 21:56:21 CEST 2016


> For what it's worth, the Swisscom approach seems sensible to me. At
> least if I understand it correctly, in that they by default only block
> ports associated with application protocols known to be insecure, meant
> for home network use only, etc. All other ports and protocols not on
> the blacklist are let through in both directions. As far as I know this
> has been working out fine for them.

I like that approach as well. It might be generalised into "ports <= x are blocked by default and can be opened manually, ports > x are open by default". Whether x=1024, x=10000 or x=16384 can be discussed. If usually services aren't listening on those high-numbered ports then the firewall blocking incoming packets for them doesn't make much of a difference anyway.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20160927/6838052d/attachment.bin 

More information about the ipv6-ops mailing list